Network Working Group A. Langley
Internet-Draft Google Inc
Expires: July 5, 2014 Jan 2014
A TLS padding extensiondraft-agl-tls-padding-03
Abstract
This memo describes the a TLS extension that can be used to pad
ClientHello messages to a desired size.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 5, 2014.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Langley Expires July 5, 2014 [Page 1]

Internet-Draft TLS Padding Extension Jan 20141. Introduction
Successive TLS [RFC5246] versions have added support for more cipher
suites and, over time, more TLS extensions have been defined. This
has caused the size of the TLS ClientHello to grow and the additional
size has caused some implementation bugs to come to light. At least
one of these implementation bugs can be ameliorated by making the
ClientHello even larger.
This memo describes a TLS extension that can be used to pad a
ClientHello to a desired size in order to avoid implementation bugs
caused by certain ClientHello sizes.
Langley Expires July 5, 2014 [Page 3]

Internet-Draft TLS Padding Extension Jan 20143. Padding Extension
A new extension type ("padding(TBD)") is defined and MAY be included
by the client in its ClientHello message.
enum {
padding(TBD), (65535)
} ExtensionType;
The "extension_data" for the extension consists of an arbitary number
of zero bytes. For example, the smallest "padding" extension is four
bytes long and is encoded as TBD TBD 00 00. (TBR values to be filled
in once an ExtensionType has been assigned.) A ten byte extension
would include 6 bytes of "extension_data" and would be encoded as:
xx xx 00 06 00 00 00 00 00 00
|---| |---| |---------------|
| | |
| | \- extension_data: 6 zero bytes
| |
| \------------- 16-bit, extension_data length
|
\------------------- extension_type for padding extension
The client MUST fill the padding extension completely with zero
bytes, although the padding extension may be empty.
The server MUST NOT echo the extension.
Langley Expires July 5, 2014 [Page 5]

Internet-Draft TLS Padding Extension Jan 20144. Example usage
As an example, consider a client that wishes to avoid sending a
ClientHello with a record size between 256 and 511 bytes (inclusive).
This case is considered because at least one TLS implementation is
known to hang the connection when such a ClientHello record is
received.
After building a ClientHello as normal, the client can add four to
the length (to account for the "msg_type" and "length" fields of the
handshake protocol) and test whether the resulting length falls into
that range. If it does, a padding extension can be added in order to
push the length to (at least) 512 bytes.
Note that if the original ClientHello size was between 505 and 507
bytes then, with the handshake protocol overhead, the record would be
between 509 and 511 bytes long. Since it's not possible for an
extension to take less than four bytes of space, the additional
padding would have to expand the ClientHello record past 512 bytes in
these cases.
Langley Expires July 5, 2014 [Page 6]

Internet-Draft TLS Padding Extension Jan 20145. Security Considerations
The contents of the padding extension could be used as a covert
channel. In order to prevent this, the contents are required to be
all zeros, although the length of the extension can still be used as
a much smaller covert channel. Servers MAY verify that the extension
is either empty or contains only zero bytes, in order to enforce
this.
Langley Expires July 5, 2014 [Page 7]